c2d8a252306ab22043f21d28473e36754b85add10368004ea5260e7123cb0a94

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Size

812KB
MD5

062a52024a60ad55813654ede1bcab9c
SHA1

8eed64f31f62adfdb86c844dfb15d7f4c885085c
SHA256

c2d8a252306ab22043f21d28473e36754b85add10368004ea5260e7123cb0a94
SHA512

e7511ea1b8c435997d25215229b47323b923fd3a53ed881046f69e538f5ab8028378a4ace0df133cf87eb5bf76e8858e625ed32adc425c83d5a29f77c0f982f8
SSDEEP

24576:YgNYvIOvPnjGM6xxJ60mVI/ba0xuVmrkAMlNFunUDR7:YggIWWxxJ6Z47xOskASFSUB

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe

Executes dropped EXE 6 IoCs

pid	Process
3268	KSWebShield.exe
1968	KSWebShield.exe
2312	KSWebShield.exe
4768	KSWebShield.exe
2268	KSWebShield.exe
908	KSWebShield.exe

Loads dropped DLL 19 IoCs

pid	Process
2312	KSWebShield.exe
4768	KSWebShield.exe
4768	KSWebShield.exe
4768	KSWebShield.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
3524	IEXPLORE.EXE
3524	IEXPLORE.EXE
3524	IEXPLORE.EXE
3524	IEXPLORE.EXE
4312	IEXPLORE.EXE
4312	IEXPLORE.EXE
4312	IEXPLORE.EXE
4312	IEXPLORE.EXE
3924	IEXPLORE.EXE
3924	IEXPLORE.EXE
3924	IEXPLORE.EXE
3924	IEXPLORE.EXE

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	KSWebShield.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	KSWebShield.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	KSWebShield.exe
File created	C:\Windows\SysWOW64\safe.ico	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	KSWebShield.exe

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File created	C:\progra~1\ico\meiv.ico	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
File created	C:\progra~1\ico\liaotian.ico	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
File created	C:\progra~1\kingsoft\kwsui.dll	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~1\kingsoft\KWSSVC.log	KSWebShield.exe
File opened for modification	C:\PROGRA~1\kingsoft\KWSSVC.log	KSWebShield.exe
File created	C:\progra~1\ico\Beauty.ico	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
File created	C:\progra~1\ico\Taobao.ico	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
File created	C:\progra~1\kingsoft\KSWebShield.exe	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
File created	C:\progra~1\kingsoft\kwssp.dll	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~1\kingsoft\KWSSVC.log	KSWebShield.exe
File opened for modification	C:\Program Files\kingsoft\KWSSVC.log	KSWebShield.exe
File opened for modification	C:\progra~1\TheWorld 3\TheWorld.ini	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
File opened for modification	C:\progra~1\Maxthon\Config\config.ini	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
File opened for modification	C:\progra~1\Maxthon2\SharedAccount\Config\Config.ini	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
File created	C:\progra~1\ico\Film.ico	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
File created	C:\progra~1\kingsoft\KSWebShield.dll	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~1\kingsoft\KWSSVC.log	KSWebShield.exe
File created	C:\progra~1\ico\Video.ico	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
File opened for modification	C:\Program Files\kingsoft\KWSSVC.log	KSWebShield.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009e387b9b7780e241bd4d2d5013251a2f00000000020000000000106600000001000020000000af8b04fc752c1b29ea80a737c10a8919d62da8799ad6e2520f1940fb3551c129000000000e800000000200002000000048abcc587bbf4e9e39ddae4a60154a8b3bd153754cfd024ba794b102d813ba7d20000000cfe236a4b0783f8bec8635f8b96cd7773bfe9a34888ca338397e25861673816e400000009505980c85ab9d273ad5a8afbe44644073e1498d63868ee5aa618797f60148580d0b9d85a6ed71b867b7a8235fd1b9900a22c86825929d3e3caca9d177c24e69	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90ac39f210c3da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.v258.net = "0"	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b08828f810c3da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425049894"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{228B722D-2F04-11EF-92F1-527CD1CC5F27} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\New Windows\Allow	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009e387b9b7780e241bd4d2d5013251a2f00000000020000000000106600000001000020000000550ac68ce629bcf19428b6d21c52e2ab10afcc421058df684d0aa48c46813f96000000000e80000000020000200000000668cecc0b32442824dac8bc1875052294bcfd802e0cb6a52194b3718e600c7220000000ba0ca509038cc5319ab0fd73985f40c1a7e67a6fd4e8a7fa2d1555007526464e40000000db61eee88352550963a62c902c62bda5189865204f4d3bd42f4bf8f9710e4cc9caa6e3d0f696115584caa75a5a86f252f9156e3a3859b53e69d201be26c811fa	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	KSWebShield.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	KSWebShield.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	KSWebShield.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	KSWebShield.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	KSWebShield.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	KSWebShield.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	KSWebShield.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	KSWebShield.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3180	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeDebugPrivilege	3268	KSWebShield.exe
Token: SeDebugPrivilege	1968	KSWebShield.exe
Token: SeDebugPrivilege	2312	KSWebShield.exe
Token: 33	2312	KSWebShield.exe
Token: SeIncBasePriorityPrivilege	2312	KSWebShield.exe
Token: SeDebugPrivilege	2268	KSWebShield.exe
Token: SeDebugPrivilege	908	KSWebShield.exe
Token: 33	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: 33	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
1528	iexplore.exe
1528	iexplore.exe
1528	iexplore.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
4768	KSWebShield.exe
4768	KSWebShield.exe
1528	iexplore.exe
1528	iexplore.exe
3524	IEXPLORE.EXE
3524	IEXPLORE.EXE
1528	iexplore.exe
1528	iexplore.exe
4312	IEXPLORE.EXE
4312	IEXPLORE.EXE
1528	iexplore.exe
1528	iexplore.exe
3924	IEXPLORE.EXE
3924	IEXPLORE.EXE
3924	IEXPLORE.EXE
3924	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4496 wrote to memory of 3268	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe	88
PID 4496 wrote to memory of 3268	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe	88
PID 4496 wrote to memory of 3268	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe	88
PID 4496 wrote to memory of 1968	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe	91
PID 4496 wrote to memory of 1968	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe	91
PID 4496 wrote to memory of 1968	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe	91
PID 2312 wrote to memory of 4768	2312	KSWebShield.exe	94
PID 2312 wrote to memory of 4768	2312	KSWebShield.exe	94
PID 2312 wrote to memory of 4768	2312	KSWebShield.exe	94
PID 4496 wrote to memory of 1528	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe	98
PID 4496 wrote to memory of 1528	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe	98
PID 1528 wrote to memory of 3524	1528	iexplore.exe	99
PID 1528 wrote to memory of 3524	1528	iexplore.exe	99
PID 1528 wrote to memory of 3524	1528	iexplore.exe	99
PID 4496 wrote to memory of 1552	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe	100
PID 4496 wrote to memory of 1552	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe	100
PID 4496 wrote to memory of 1552	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe	100
PID 4496 wrote to memory of 4916	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe	102
PID 4496 wrote to memory of 4916	4496	062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe	102
PID 1552 wrote to memory of 3180	1552	cmd.exe	103
PID 1552 wrote to memory of 3180	1552	cmd.exe	103
PID 1552 wrote to memory of 3180	1552	cmd.exe	103
PID 1528 wrote to memory of 4312	1528	iexplore.exe	104
PID 1528 wrote to memory of 4312	1528	iexplore.exe	104
PID 1528 wrote to memory of 4312	1528	iexplore.exe	104
PID 1552 wrote to memory of 2428	1552	cmd.exe	109
PID 1552 wrote to memory of 2428	1552	cmd.exe	109
PID 1552 wrote to memory of 2428	1552	cmd.exe	109
PID 1552 wrote to memory of 2500	1552	cmd.exe	110
PID 1552 wrote to memory of 2500	1552	cmd.exe	110
PID 1552 wrote to memory of 2500	1552	cmd.exe	110
PID 1552 wrote to memory of 3036	1552	cmd.exe	111
PID 1552 wrote to memory of 3036	1552	cmd.exe	111
PID 1552 wrote to memory of 3036	1552	cmd.exe	111
PID 1552 wrote to memory of 5116	1552	cmd.exe	112
PID 1552 wrote to memory of 5116	1552	cmd.exe	112
PID 1552 wrote to memory of 5116	1552	cmd.exe	112
PID 1552 wrote to memory of 1712	1552	cmd.exe	113
PID 1552 wrote to memory of 1712	1552	cmd.exe	113
PID 1552 wrote to memory of 1712	1552	cmd.exe	113
PID 1552 wrote to memory of 2308	1552	cmd.exe	114
PID 1552 wrote to memory of 2308	1552	cmd.exe	114
PID 1552 wrote to memory of 2308	1552	cmd.exe	114
PID 1552 wrote to memory of 2420	1552	cmd.exe	115
PID 1552 wrote to memory of 2420	1552	cmd.exe	115
PID 1552 wrote to memory of 2420	1552	cmd.exe	115
PID 1552 wrote to memory of 2032	1552	cmd.exe	116
PID 1552 wrote to memory of 2032	1552	cmd.exe	116
PID 1552 wrote to memory of 2032	1552	cmd.exe	116
PID 1552 wrote to memory of 2268	1552	cmd.exe	117
PID 1552 wrote to memory of 2268	1552	cmd.exe	117
PID 1552 wrote to memory of 2268	1552	cmd.exe	117
PID 1552 wrote to memory of 5048	1552	cmd.exe	118
PID 1552 wrote to memory of 5048	1552	cmd.exe	118
PID 1552 wrote to memory of 5048	1552	cmd.exe	118
PID 1552 wrote to memory of 3940	1552	cmd.exe	119
PID 1552 wrote to memory of 3940	1552	cmd.exe	119
PID 1552 wrote to memory of 3940	1552	cmd.exe	119
PID 1552 wrote to memory of 1740	1552	cmd.exe	120
PID 1552 wrote to memory of 1740	1552	cmd.exe	120
PID 1552 wrote to memory of 1740	1552	cmd.exe	120
PID 1552 wrote to memory of 912	1552	cmd.exe	121
PID 1552 wrote to memory of 912	1552	cmd.exe	121
PID 1552 wrote to memory of 912	1552	cmd.exe	121

Views/modifies file attributes 1 TTPs 7 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
384	attrib.exe
3192	attrib.exe
4284	attrib.exe
1244	attrib.exe
2956	attrib.exe
4080	attrib.exe
3400	attrib.exe

C:\Users\Admin\AppData\Local\Temp\062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\062a52024a60ad55813654ede1bcab9c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4496
- C:\progra~1\kingsoft\KSWebShield.exe
  C:\progra~1\kingsoft\KSWebShield.exe -install
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3268
- C:\progra~1\kingsoft\KSWebShield.exe
  C:\progra~1\kingsoft\KSWebShield.exe -start
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1968
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.6626.net/?ukt-31
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1528 CREDAT:17410 /prefetch:2
    3⤵
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3524
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1528 CREDAT:17416 /prefetch:2
    3⤵
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4312
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1528 CREDAT:17424 /prefetch:2
    3⤵
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3924
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lnk.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 5 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:3180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2428
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Documents and Settings\All Users\Application Data\Kingsoft\kws\kws.ini" /p everyone:f
    3⤵
    PID:2500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3036
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╘┌╧▀┬■╗¡.url" /p everyone:f
    3⤵
    PID:5116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\├└┼«╩╙╞╡.url" /p everyone:f
    3⤵
    PID:2308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2420
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╘┌╧▀╡τ╙░.url" /p everyone:f
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2268
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╨╘╕╨├└┼«.url" /p everyone:f
    3⤵
    PID:5048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3940
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╠╘▒ª╣║╬∩.url" /p everyone:f
    3⤵
    PID:1740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:912
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╘┌╧▀╨í╦╡.url" /p everyone:f
    3⤵
    PID:1348
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Documents and Settings\All Users\Application Data\Kingsoft\kws\kws.ini" +R +S
    3⤵
    - Views/modifies file attributes
    PID:3400
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\Desktop\╘┌╧▀┬■╗¡.url" +R +S
    3⤵
    - Views/modifies file attributes
    PID:384
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\Desktop\├└┼«╩╙╞╡.url" +R +S
    3⤵
    - Views/modifies file attributes
    PID:3192
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\Desktop\╘┌╧▀╡τ╙░.url" +R +S
    3⤵
    - Views/modifies file attributes
    PID:4284
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\Desktop\╨╘╕╨├└┼«.url" +R +S
    3⤵
    - Views/modifies file attributes
    PID:1244
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\Desktop\╠╘▒ª╣║╬∩.url" +R +S
    3⤵
    - Views/modifies file attributes
    PID:2956
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\Desktop\╘┌╧▀╨í╦╡.url" +R +S
    3⤵
    - Views/modifies file attributes
    PID:4080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1232
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Documents and Settings\All Users\Application Data\Kingsoft\kws\kws.ini" /p everyone:R
    3⤵
    PID:3896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1312
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╘┌╧▀┬■╗¡.url" /p everyone:R
    3⤵
    PID:4592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4732
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\├└┼«╩╙╞╡.url" /p everyone:R
    3⤵
    PID:5016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3600
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╘┌╧▀╡τ╙░.url" /p everyone:R
    3⤵
    PID:216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:5112
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╨╘╕╨├└┼«.url" /p everyone:R
    3⤵
    PID:4024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4540
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╠╘▒ª╣║╬∩.url" /p everyone:R
    3⤵
    PID:2492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1224
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\╘┌╧▀╨í╦╡.url" /p everyone:R
    3⤵
    PID:4704
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.v921.com/?uk-31
  2⤵
  - Modifies Internet Explorer settings
  PID:4916
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.779dh.com/?kj-31
  2⤵
  - Modifies Internet Explorer settings
  PID:1384

C:\Windows\System32\expand.exe
"C:\Windows\System32\expand.exe" "C:\Users\Admin\AppData\Local\Temp\url.cab" -F:*.* "C:\Users\Admin\Desktop
1⤵
- Drops file in Windows directory
PID:4492

C:\Windows\System32\expand.exe
"C:\Windows\System32\expand.exe" "C:\Users\Admin\AppData\Local\Temp\url.cab" -F:*.* "C:\Users\Admin\Favorites
1⤵
- Drops file in Windows directory
PID:3156

C:\progra~1\kingsoft\KSWebShield.exe
C:\progra~1\kingsoft\KSWebShield.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2312
- C:\progra~1\kingsoft\KSWebShield.exe
  C:\progra~1\kingsoft\KSWebShield.exe -run
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:4768

C:\Program Files\kingsoft\KSWebShield.exe
"C:\Program Files\kingsoft\KSWebShield.exe" -install
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Program Files\kingsoft\KSWebShield.exe
"C:\Program Files\kingsoft\KSWebShield.exe" -start
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\kingsoft\KWSSVC.log

Filesize
448B

MD5
125cfd17ddb6d8c2ae42d0ccdda402eb

SHA1
2d1d5ed32d1510b79bd845c503df66afcdf2dcd9

SHA256
4954fccd0fb77d566ce2a39d7719e149fbd4d984b77e62d4cf12e24c2526f4ef

SHA512
d1ff6c866d25d5d00ab2cd7dc04e406a602bea4b5e56b10f9f5c90dd5cee5f02e4678c5a1676a12b27f223635afb4cd1160a6dc145a5f137aba92e3ffadb9dce

Download Submit
C:\PROGRA~1\kingsoft\KWSSVC.log

Filesize
546B

MD5
13cf86b0a927fb9d6b9d19dbd4abdde6

SHA1
4e5114e4444e0104aa09644d3c4705100e7a16a2

SHA256
85ea49b022f0c8069e06407645829480c3d61984328f17c1527dff5db3ed63b9

SHA512
39a9db8d78fa6a8e9d0e837d20de2b72fd8cd496505b0b6814158ae30d0a6b832a4a1a71bdc4866bb97631ad055d4dc87b86eb455b93fcc7e7768aabc06c5679

Download Submit
C:\Program Files\kingsoft\KSWebShield.dll

Filesize
437KB

MD5
0b629e4318e64a6ab7e2c43ad6cc3e83

SHA1
27e835072fb85614f49e7cd586f64bd10bfcd497

SHA256
41ef17fdff69930c658773f394f2f33f2f9ddab4b638e2b962da76a63a975be5

SHA512
298d43fb819a9257bdef1392bf68209423c82ea47f22f32657943dec0a6407be6ce8631e633b38e9d31df1ff9391b01010f6ff293835a1e6953dee09d30de24f

Download Submit
C:\Program Files\kingsoft\KSWebShield.exe

Filesize
197KB

MD5
2bcfdc7e51a9c556e5fb04e4d02fed39

SHA1
33e6eca60078affa733c2300605c91adddf992b0

SHA256
ee47b58a5464ceb75d73a82935a217970270958030eabc4e03100c61e7222fb1

SHA512
86b7a88d0aa5bacac2fd2a1eb60b5ac80a0fe012a1fb9105b7d7071e594a73e8fa049bebcbde144acc2e8116f682f47286d56c1302dd7153902fa5c2d617881c

Download Submit
C:\Program Files\kingsoft\KWSSVC.log

Filesize
648B

MD5
58e59eccc234e18f3cb7f8eb51f7053c

SHA1
089be995f8bdd334825ce4c2c2b44395bfdb777f

SHA256
5cff9a2515b49a659ed6d84f094a91fd896f1f9b4441761ede6060a9e16b8ba4

SHA512
b760378156434bf83408c5d9dffe43b5b028141c804678044bdb4d285d2f3d7bdb94a0a203301fc8e4a3faf02bee4eabbc8a3dfc56dce3de8b43cc3dc154fdcf

Download Submit
C:\Program Files\kingsoft\KWSSVC.log

Filesize
748B

MD5
4dd570c617fe45ac6c069c825244155e

SHA1
554d3d0d91f65a00d3b3dbfe2e28d8edd4876b88

SHA256
02880b0d0361cc636bf43ce2b9b8275ce45f86a43db8b6984ca0a45f888ec31b

SHA512
a5b2da4af47d692319cb130dcd6b0bfa91bc517ef548446ae0b045912441e51900d15196d931c02157adf86120291775c0a0f7735afb0a7833f51d7be0ebffdf

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\360safe.lnk

Filesize
1KB

MD5
2a7ed6a833b97f570f162fd212951199

SHA1
6dd3eb3f6e8166401271a8a61e1fc9f8d1a97836

SHA256
5bf1e04b8f7ec2c506c0787e50a4fff3cf688434a2403da627ddf6edc533eb21

SHA512
5d1f342a4d179d7ef11ae68e51f3d9da6166096d4d4806c0319438787d099736374b292dccebc709fbaefdf7e316feade971eff060b1e600e1faa593f228b3e2

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\360sdo.lnk

Filesize
1KB

MD5
a0cd83eeb05b935bf65d0cd7c113184b

SHA1
51f69ea04802ee33de53e11e88597bd645cade05

SHA256
a51329ae63edcc059e5913fe4c6e077d3d1070feb35459dd2eddf9b0092e077b

SHA512
3b0246a384aaeb30191c4d7f480f3d1e0dfdd354b44194363d19b65c220a63d510a3e88694d1a8d7ea8c19c98bd7251de4d956150a9024b13aa7e3eec6c2409c

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\KSWebShield.lnk

Filesize
1KB

MD5
d249e1ad02144156dd11ba961854e910

SHA1
97abcf014642b587a738a5df4f5f40f22abf17c4

SHA256
c31c41fb11cdae2e23dee60b800a3bd6c0544344fdfe339c1c48cce4b9ae301b

SHA512
c35316173b67bbeb637d4aeb6e8d7d254441658e73800908711adfc90b5fc6bffe99348c08ecac99130e9b7ed3636df2656c95841bbf412e32625b160ad0138e

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\½ðÉ½Íø¶Ü.lnk

Filesize
1KB

MD5
66b91488488becc8bd32c8f1cb094861

SHA1
2520ddf96a8b51d4cb67f45b7185f028349310b1

SHA256
a549c903b4fa31e5641b77ec5c2067e170f9fb58f70d992453c294e565e0e6fd

SHA512
155dbc15d8bd370f572205e268a52504ebae22ec5a5b2b5cb02a1804757e8a3c9ad3d5c4698b601f4a4fe570017d0438587cf81818da2e4f73af54e0d4a15014

Download Submit
C:\ProgramData\kingsoft\kws\kws.ini

Filesize
77B

MD5
9d59982406a9576c514f9d1f7102f531

SHA1
56a809ba70dbec88c159d3f739fcb39d39e1ccad

SHA256
9675a30fd118b6e7965486ca14a02b1604a97a10b2f9bf9be77a2fcb411f2c03

SHA512
f8b8a0c1b3f8c8a4a865952c922ad35d6e9e8581fc8477a70856b499a5389a53a1f3c361385c69bed53da84bfe332330c3c5a6ac89c624ea24a52c43fbb875c5

Download Submit
C:\ProgramData\kingsoft\kws\kws.ini

Filesize
89B

MD5
751b51ad7e2983e8367746d37c8a52ae

SHA1
a99d86fbb458d226da56d3a8aff9abfb6809360d

SHA256
dbbd28a447f06ba3c32e6fd644696ba9cd23e1a06d2345b649f678b666689dfa

SHA512
876e66462101bf14272c3b5bd8cecd6ca17b9d1c581e1f79422246f193a9987b668d3ddb93eb7b9b02bb6a534ddc10e2bd50f203dc5ce84ff85a0aea9e9f34df

Download Submit
C:\ProgramData\kingsoft\kws\kws.ini

Filesize
57B

MD5
e64817127697b97ac2ca176bf39040a8

SHA1
3d521774aa469ba07360bb0dd0b0cbbca506e6ee

SHA256
5e73096316c9f1c0cc336163d46d8f8b1278bd91e0b2f67f608a5c01f007012a

SHA512
317f417952266a00f9ccbcc3b12aa14849dbf6eb9adb6778a83e7502494fe01e96e6252b38103245f900c05605662f6c7d9f943778e3043f7bd1905b80fcfedc

Download Submit
C:\Users\Admin\AppData\Local\Temp\lnk.bat

Filesize
1KB

MD5
7224ccf9d4354e76d4b5e8b57d5dab17

SHA1
2a910ce03a6b7cfb09c220d85577258cb3ef3a7d

SHA256
76487df756feb13baa1af6c7b09041beb7c80115547796e126a4da2bf867a6df

SHA512
f601bc1148f38a8cbf72cd8e983326a673ffd8c4d69f413abeeba869f29ac7097eb3613cc2303a1c08c4d6fa2a694ac193d416fea41c48316e82c7f51b57e57e

Download Submit
C:\Users\Admin\Favorites\ÃÀÅ®ÊÓÆµ.url

Filesize
134B

MD5
f74aa96b9b45c6b94531b192d4926ed8

SHA1
9352c33b863662540afebc3e7570804f1ac8f23d

SHA256
31530927f5f5b0a42111845beeee35fa7d85aea04e3f8b26283b4b5fff01b3f2

SHA512
0665afb5e78385fcbf3def63e09358ac136162ccec3dd7b304f4d428c401ee38a1841d0c0fb691bb7ad0afe72d6958bd63886f4699176f5dbfedb4aa128968c1

Download Submit
C:\Users\Admin\Favorites\ÃÀÅ®ÊÓÆµÁÄÌì.url

Filesize
138B

MD5
b324dce5693edd4e8df0902d38bff5e2

SHA1
a5cd57f79f309f1bfdc4103fb73f6fc107b691e7

SHA256
554150ee44df6e1676373a951904dbf67aefda2f521184e15fa6b7a5980f94eb

SHA512
7cbe3704a60c0c1002a0f0648fb43ddcdfd44bdb65ebd3f88b8f29fd1f3e61c1ae25cae7d6e6f832773ccc47068d38422a4e8c60b1bd56e495d171c2c24ba71c

Download Submit
C:\Users\Admin\Favorites\ÌÔ±¦¹ºÎï.url

Filesize
135B

MD5
971c6a735a623358b013d44528942707

SHA1
03b058fa21afb28c10b9630bbae040095af8f335

SHA256
fdaf404d55a0d798f3f7a6a70bd023f02ebba07062b79dd50e543a18800be08f

SHA512
373c4cfefa02069d95d28320a9f7d7636b9c779a619a6c3aa77598e959dd0b09fa3f4238dc38c1f1843c09e82457c7d4a58cdfef2bf0cd300c75f501f7286b02

Download Submit
C:\Users\Admin\Favorites\ÐÔ¸ÐÃÀÅ®.url

Filesize
133B

MD5
5a52bb6c53b4839dfa8520a7fe5b53b5

SHA1
c124cd3787130609936d62d988e61067a22bb1d4

SHA256
cd201c825bcbe86a66c2cd500a0cfaca065fdabf753e220012a0cf8c90a4d0ee

SHA512
27812417c5379ba86787ee01130d6c2e85709f33b06dd2b35050b138dd75e76e10428d583274a17b8cf1bcae1fb031c904716318732eccf3b11f529982836710

Download Submit
C:\Users\Admin\Favorites\ÔÚÏßµçÓ°.url

Filesize
189B

MD5
410344edda7f66eed109b512a5c20d9c

SHA1
eb4a4646312a24d13d7bbc49c04c1f74879b199c

SHA256
2743d42f107c734d57ac9922e5d5949254ec3cb512374135d40a0607446afbc4

SHA512
1753e2104c563b377668be35aa1179ceba7ffc7854be9ed3d54e0e4b695cb0a0f3867aeb255e0a96651eb1580ac654db3c61fa7e6242d8b86c192f11b1bb71b1

Download Submit
C:\Users\Admin\Favorites\ÔÚÏßÂþ».url

Filesize
190B

MD5
6e028a15d5121ed2504d69fe97945899

SHA1
b664b2f0d5584382f42322c0daf49c515bd692e2

SHA256
5f4d7cb69f9919ca3bfb5e93f7bf5af8f6b31530d09fd34a9d64be3c70630bf4

SHA512
487daaf3e105012185c6f3f11787dcea31ec299cee6b1aa6f9e0c1e67929ea9d2134d642fc5b981a0918d7b25dff00f2fcb408cde7e1683458e0994fe481e718

Download Submit
C:\Windows\LOGS\DPX\setupact.log

Filesize
168KB

MD5
32ecba76ba659c5ef30f8e970a72be55

SHA1
08e2a318f735f7217dbef29a605954f7730c61bd

SHA256
2ab30f84432cde6650af33a6c9eb9db414e42eefc798bf21ddf493523420b4a8

SHA512
7a99f85a617308a9a49bdd73c59043f4332556369cc7ccc378f79ea940429e4d70c88f1975ce7daa4cab3c3936d314ac80791641899ccc565d51acfc5647eb8a

Download Submit
C:\progra~1\kingsoft\kwssp.dll

Filesize
633KB

MD5
8c8dc085ab24bd23b77f146c78c8ff14

SHA1
3c01f9a5338fec055dd2fea36e468d160420a0b8

SHA256
ee50170b1c1829b98b647ea81d286f8a3630de1737be914ea02c409f1da1c217

SHA512
4754af26541d1737c8bae42a89c16570618b5bb5a44a4812f5e9819c852a2c6e235a9111bae98008037e94c614f4aabcf5166d041dce6e16be30683e80a1990c

Download Submit
C:\progra~1\kingsoft\kwsui.dll

Filesize
457KB

MD5
272764640b4b296e13c7c136cfbaaca2

SHA1
8c4f405469d370db5270c64f119d5b5ba0eece4e

SHA256
50723b6ad935609de87df9f838756bdbb6cbdf801d3c0ce8e08cebb35ef04b3b

SHA512
97c4520913f968cf591d996c7aa82004455507d81f50968f8e7cbb5122b57be715c34b8de4f9d391195f4c1864747781b69632a8850119df4977524d002a604a

Download Submit
\??\c:\users\admin\appdata\local\temp\url.cab

Filesize
6KB

MD5
a850198c5a2a745131584d535fd8b1f1

SHA1
cc9e4398441b0960c8af687bc2c590ac2020f1f2

SHA256
3bb4f7b8125ee3adf9e8dcbe705335e54f09402367d174d466e1ae0249c95d09

SHA512
4680dd5c181d29bbbbce98c740d13bcc935b6d0aa603789936dae9c1df4e70bf5e8db7f246522505c9f85bd67caddec0047a88b8b52d3213c7ebe66c460ac4e1

Download Submit
memory/4496-96-0x0000000003A40000-0x0000000003AB0000-memory.dmp

Filesize
448KB

Download
memory/4496-1-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/4496-3-0x0000000000400000-0x0000000000780000-memory.dmp

Filesize
3.5MB

Download
memory/4496-123-0x0000000000400000-0x0000000000780000-memory.dmp

Filesize
3.5MB

Download
memory/4496-2-0x0000000000400000-0x0000000000780000-memory.dmp

Filesize
3.5MB

Download
memory/4496-0-0x0000000000400000-0x0000000000780000-memory.dmp

Filesize
3.5MB

Download
memory/4496-134-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/4768-88-0x00000000006E0000-0x0000000000750000-memory.dmp

Filesize
448KB

Download